Gentoo Archives: gentoo-security

From: Rich Freeman <rich0@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Regeneration of gpg keys after HeartBleed
Date: Tue, 15 Apr 2014 13:28:56
In Reply to: Re: [gentoo-security] Regeneration of gpg keys after HeartBleed by Alex Legler
1 On Mon, Apr 14, 2014 at 5:54 PM, Alex Legler <a3li@g.o> wrote:
2 > On 09.04.2014 18:39, Jo wrote:
3 >> Hi all, this is my first post in this list, so again Hi all!
4 >>
5 >> I'm a bit concerned about the signing keys of the portage tree releases,
6 >> I know that gpg is not the same as openssl but keeping in mind that SSH,
7 >> VPN, HTTPS keys might be compromised for two years, don't you think it's
8 >> a healthy measure to generate a new pair of keys?
9 >
10 > GPG private keys are kept and used nowhere near any server processes,
11 > not transferred via HTTPS or any VPNs, and SSH is not affected. I don't
12 > see an immediate need to rotate them.
14 Agree. Also, in a few months whenever the new GPG policy GLEP is
15 implemented I suspect that many keys will be regenerated anyway.
17 Rich